Subscribe to our Threatpost Today newsletter

Join thousands of people who receive the latest breaking cybersecurity news every day.

The administrator of your personal data will be Threatpost, Inc., 500 Unicorn Park, Woburn, MA 01801. Detailed information on the processing of personal data can be found in the privacy policy. In addition, you will find them in the message confirming the subscription to the newsletter.

*

*

I agree to my personal data being stored and used to receive the newsletter

*

I agree to accept information and occasional commercial offers from Threatpost partners

The administrator of your personal data will be Threatpost, Inc., 500 Unicorn Park, Woburn, MA 01801. Detailed information on the processing of personal data can be found in the privacy policy. In addition, you will find them in the message confirming the subscription to the newsletter.

Tiny Island Atoll’s Domain Used in Widespread Ad Fraud

The campaign is believed to bring in close to $22,000 per month for bad actors.

A scam campaign involving “.tk” domains has been active since at least May 2018, redirecting unsuspecting users to fake blogger sites that are collectively bringing in close to $22,000 per month in advertising revenue.

The same actors have also been spotted running a tech-support scam in tandem, also using .tk domains.

The .tk suffix indicates a a top-level domain that’s supposed to stand for a country, like .ca (Canada) or .fr (France). In this case, it represents a tiny Pacific island nation called Tokelau, affiliated with New Zealand, which has a landmass consisting of four square miles and is home to about 1,300 people. It’s a place unlikely to be hosting a massive ad fraud campaign.

However, .tk domains are more than cheap, they’re free, making them very attractive for anyone globally who may be looking to stand up a fast web-attack infrastructure without caring about URL branding. Researchers at Zscaler in July found a network of thousands of .tk sites built to do just that.

The campaign first came to light when the team discovered a series of legitimate websites that had been compromised with redirection code: “Some of the compromised sites have plain-text injected redirection code, and many of them have packed and obfuscated injected redirection code,” the researchers noted in an analysis last Friday; interestingly, for some of the sites, the code doesn’t redirect for every hit; instead, redirection takes place when a random number “3” appears.

In all of these cases, they push visitors to web URLs with .tk suffixes, which then send them to either purported “blogger sites” or, in a variation on the theme, one of several fake tech-support sites that claim to remove viruses and urge visitors to call a number for help.

In all, 3,804 unique .tk domains implicated in the campaign have been found, some established as far back as May. Zscaler told Threatpost that a vast majority of them are involved in redirecting to fake blogger content and just a few of them are involved in the tech support scams.

Estimated traffic and ad revenue for one of the scam sites.

For the blogger-site gambit, the researchers told Threatpost that the .tk infrastructure is being leveraged for either hosting the initial lure page or for intermediate redirect content. These URLs will lead to fake sites which may or may not be using .tk domains themselves.

The redirection URL changes each time, rotating between 72 fake blogging content sites with garbage site names like “braceletstartop”, “din9” or “jessica1”, all tied to the same IP address (162.244.35[.]55). The content is either plagiarized or spam content, and the sole purpose of the pages is showing ads. Zscaler noted that taking an average of $300 per month, revenue could be as high as $21,600. Traffic, the firm found, is increasing to these sites on a daily basis.

In other cases, the .tk campaign URL redirects to fake tech support websites displaying alert messages that ask users to call a given number for technical assistance. These scam URLs also all use nonsense nomenclature, like “wizenedrusty” and “savoirplaisir”. If users call the number, a human will attempt to take payment details.

Fake tech support scam site with pop-up window.

“The campaign appears to be very simple but well thought out and already producing results in terms of revenue,” Zscaler told us. “We are not able to attribute this to a specific group yet.”

Zscaler researchers also said that traffic is steadily increasing to the scam sites; and the activity, as pervasive and growing as it seems to be, could be the tip of the atoll, so to speak, for the malefactors behind the scams.

“Over the last three months, this campaign has largely been redirecting users to fake blogger sites and tech-support scam sites, but it’s reasonable to assume that in the future, the campaign may start redirecting to phishing sites, exploit kit gates or any malicious site that can generate revenue in one way or another,” the team noted.

This seems like a fair conclusion given that there’s precedent: In fact, in July the sprawling Master134 malvertising campaign was found, involving at least 10,000 compromised websites and driving legions of web visitors around the world to exploit kits.

“Unfortunately, lack of transparency in the digital supply chain combined with the millions of internet users at the receiving end of digital ads have turned traffic fraud into a lucrative multi-billion dollar business and, therefore, entice crime and corruption,” said Chris Olson, CEO of the Media Trust, via email. “To combat traffic fraud, all digital players should police their digital partners and the code those partners execute in their digital ecosystem; ensure partners are adequately secure from malicious attacks; and continuously scan their digital ecosystems in real-time to identify and, when needed, terminate unauthorized code.”

Authors

Threatpost

InfoSec Insider Post

InfoSec Insider content is written by a trusted community of Threatpost cybersecurity subject matter experts. Each contribution has a goal of bringing a unique voice to important cybersecurity topics. Content strives to be of the highest quality, objective and non-commercial.

Sponsored

Sponsored Post

Sponsored Content is paid for by an advertiser. Sponsored content is written and edited by members of our sponsor community. This content creates an opportunity for a sponsor to provide insight and commentary from their point-of-view directly to the Threatpost audience. The Threatpost editorial team does not participate in the writing or editing of Sponsored Content.